diff --git a/.gitignore b/.gitignore index 37047d1..e6f026e 100644 --- a/.gitignore +++ b/.gitignore @@ -22,3 +22,6 @@ /usbguard-1.0.0.tar.gz /usbguard-1.1.0.tar.gz /usbguard-1.1.2.tar.gz +/usbguard-notifier-0.1.1.tar.gz +/usbguard-1.1.3.tar.gz +/usbguard-selinux-0.0.5.tar.gz diff --git a/disable-console-logging.patch b/disable-console-logging.patch new file mode 100644 index 0000000..ee17b84 --- /dev/null +++ b/disable-console-logging.patch @@ -0,0 +1,12 @@ +diff -up usbguard-1.1.3/usbguard.service.in.orig usbguard-1.1.3/usbguard.service.in +--- usbguard-1.1.3/usbguard.service.in.orig 2024-06-12 14:36:13.192536970 +0200 ++++ usbguard-1.1.3/usbguard.service.in 2024-06-12 14:36:21.110609346 +0200 +@@ -8,7 +8,7 @@ OOMScoreAdjust=-1000 + AmbientCapabilities= + CapabilityBoundingSet=CAP_CHOWN CAP_FOWNER CAP_AUDIT_WRITE + DevicePolicy=closed +-ExecStart=%sbindir%/usbguard-daemon -f -s -c %sysconfdir%/usbguard/usbguard-daemon.conf ++ExecStart=%sbindir%/usbguard-daemon -f -s -K -c %sysconfdir%/usbguard/usbguard-daemon.conf + IPAddressDeny=any + LockPersonality=yes + MemoryDenyWriteExecute=yes diff --git a/policykit-dbus-chat-selinux.patch b/policykit-dbus-chat-selinux.patch deleted file mode 100644 index 8f0200e..0000000 --- a/policykit-dbus-chat-selinux.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff -up ./usbguard-selinux-0.0.4/usbguard.te.policykit ./usbguard-selinux-0.0.4/usbguard.te ---- ./usbguard-selinux-0.0.4/usbguard.te.policykit 2022-03-15 10:32:21.002852930 +0100 -+++ ./usbguard-selinux-0.0.4/usbguard.te 2022-03-15 10:36:47.844040559 +0100 -@@ -99,9 +99,17 @@ logging_log_filetrans(usbguard_t, usbgua - - logging_send_syslog_msg(usbguard_t) - --dbus_system_domain(usbguard_t, usbguard_exec_t) - usbguard_ipc_access(usbguard_t) - -+optional_policy(` -+ dbus_system_domain(usbguard_t, usbguard_exec_t) -+ -+ optional_policy(` -+ policykit_dbus_chat(usbguard_t) -+ ') -+') -+ -+ - tunable_policy(`usbguard_daemon_write_rules',` - rw_files_pattern(usbguard_t, usbguard_rules_t, usbguard_rules_t) - ') diff --git a/sources b/sources index c5d8006..235cf86 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ -SHA512 (usbguard-1.1.2.tar.gz) = 03b6dd026a0fe6a7a055208f09a56e2cc86985570388e33fde08671b8aa2d60ea4a0e59505e9646ddf50f42f5b6310d1b230379f9c26ec99c7ca736f3b4ad850 -SHA512 (usbguard-selinux-0.0.4.tar.gz) = b73b14396e40f847704511097bfed17c94b9b28cc70f3391a6effab763a315fe723aba37bb4c622d18ab691306c485fcd7632ccc8a837413f32c73cd9879c8b0 +SHA512 (usbguard-notifier-0.1.1.tar.gz) = 5540739301f4f4c83f7443b740cf7345be7928f3ed697878094dee1752eac7dedfab9eb652856bfa555be9bfa24687c4b74194afa022973848af13328f0ca1ba +SHA512 (usbguard-1.1.3.tar.gz) = 530bfea12ec8497c30d530c73f868207aad8b0e0e917cb7c7506f6148681a6a4ff12de5cddcfea458eb2b91ce8bb8b0e68d42e2590a4dc6b15f43c18f8256cf1 +SHA512 (usbguard-selinux-0.0.5.tar.gz) = 72b12e6a44dddfd863909f82e288170f935c4e941cb65678cd544fd0fa33ecce0a794c4b620dea9f496a45f2035d3b3b6dde662319db200eaff38e26999c4496 diff --git a/usbguard-gcc13.patch b/usbguard-gcc13.patch deleted file mode 100644 index 2229079..0000000 --- a/usbguard-gcc13.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/src/Library/Base64.hpp b/src/Library/Base64.hpp -index 0947f21..aa76311 100644 ---- a/src/Library/Base64.hpp -+++ b/src/Library/Base64.hpp -@@ -24,6 +24,7 @@ - - #include - #include -+#include - - namespace usbguard - { diff --git a/usbguard-selinux-audit-write.patch b/usbguard-selinux-audit-write.patch deleted file mode 100644 index 4d8b376..0000000 --- a/usbguard-selinux-audit-write.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te.orig usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te ---- usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te.orig 2023-07-27 10:41:25.540984667 +0200 -+++ usbguard-1.1.0/usbguard-selinux-0.0.4/usbguard.te 2023-07-27 10:41:59.970006413 +0200 -@@ -68,7 +68,7 @@ files_pid_file(usbguard_var_run_t) - # Local policy - # - --allow usbguard_t self:capability { chown fowner }; -+allow usbguard_t self:capability { chown fowner audit_write }; - allow usbguard_t self:netlink_kobject_uevent_socket { bind create setopt read }; - allow usbguard_t self:netlink_audit_socket { nlmsg_relay create_netlink_socket_perms }; - diff --git a/usbguard.spec b/usbguard.spec index 09bae0b..9387e29 100644 --- a/usbguard.spec +++ b/usbguard.spec @@ -1,9 +1,11 @@ +%global _hardened_build 1 %global selinuxtype targeted %global moduletype contrib -%define semodule_version 0.0.4 +%define semodule_version 0.0.5 +%define notifier_version 0.1.1 Name: usbguard -Version: 1.1.2 +Version: 1.1.3 Release: 2%{?dist} Summary: A tool for implementing USB device usage policy License: GPL-2.0-or-later @@ -11,8 +13,10 @@ License: GPL-2.0-or-later # src/ThirdParty/Catch: Boost Software License - Version 1.0 URL: https://usbguard.github.io/ Source0: https://github.com/USBGuard/usbguard/releases/download/%{name}-%{version}/%{name}-%{version}.tar.gz -Source1: https://github.com/USBGuard/usbguard/releases/download/%{name}-selinux-%{semodule_version}/%{name}-selinux-%{semodule_version}.tar.gz -Source2: usbguard-daemon.conf +Source1: https://github.com/USBGuard/usbguard-selinux/archive/refs/tags/v%{semodule_version}.tar.gz#/%{name}-selinux-%{semodule_version}.tar.gz +Source2: https://github.com/Cropi/%{name}-notifier/releases/download/%{name}-notifier-%{notifier_version}/%{name}-notifier-%{notifier_version}.tar.gz +Source3: usbguard-daemon.conf + Requires: systemd Requires(post): systemd @@ -21,14 +25,14 @@ Requires(postun): systemd Requires(post): /sbin/ldconfig Requires(postun): /sbin/ldconfig -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +Recommends: (%{name}-selinux if selinux-policy-%{selinuxtype}) Obsoletes: %{name}-applet-qt < 0.7.6 BuildRequires: make BuildRequires: gcc BuildRequires: gcc-c++ BuildRequires: libqb-devel -BuildRequires: libgcrypt-devel +BuildRequires: openssl-devel BuildRequires: libstdc++-devel BuildRequires: protobuf-devel protobuf-compiler BuildRequires: PEGTL-static @@ -41,10 +45,6 @@ BuildRequires: audit-libs-devel BuildRequires: systemd Patch1: usbguard-revert-catch.patch -Patch2: policykit-dbus-chat-selinux.patch -# https://github.com/USBGuard/usbguard/pull/582 -Patch3: usbguard-gcc13.patch -Patch4: usbguard-selinux-audit-write.patch %description The USBGuard software framework helps to protect your computer against rogue USB @@ -99,22 +99,38 @@ BuildArch: noarch The %{name}-selinux package contains selinux policy for the USBGuard daemon. -# usbguard +%package notifier +Summary: A tool for detecting usbguard policy and device presence changes +Group: Applications/System +Requires: %{name} = %{version}-%{release} +Requires: systemd +BuildRequires: librsvg2-devel +BuildRequires: libnotify-devel +BuildRequires: execstack + +%description notifier +The %{name}-notifier package detects usbguard policy modifications as well as +device presence changes and displays them as pop-up notifications. + %prep + +# usbguard %setup -q # selinux %setup -q -D -T -a 1 +# notifier +%setup -q -D -T -a 2 + %patch -P 1 -p1 -b .catch -%patch -P 2 -p1 -b .policykit -%patch -P 3 -p1 -b .gcc13 -%patch -P 4 -p1 # Remove bundled library sources before build rm -rf src/ThirdParty/{Catch,PEGTL} %build + +# usbguard mkdir -p ./m4 autoreconf -i -v --no-recursive ./ %configure \ @@ -124,7 +140,7 @@ autoreconf -i -v --no-recursive ./ --enable-systemd \ --with-dbus \ --with-polkit \ - --with-crypto-library=gcrypt + --with-crypto-library=openssl make %{?_smp_mflags} @@ -133,6 +149,22 @@ pushd %{name}-selinux-%{semodule_version} make popd +# notifier +pushd %{name}-notifier-%{notifier_version} +mkdir -p ./m4 +autoreconf -i -v --no-recursive ./ +export CXXFLAGS="$RPM_OPT_FLAGS" +%configure \ + --disable-silent-rules \ + --without-bundled-catch \ + --enable-debug-build \ + --disable-notifier-cli \ + --with-usbguard-devel="../" + +%set_build_flags +make %{?_smp_mflags} +popd + %check make check @@ -147,7 +179,7 @@ make install INSTALL='install -p' DESTDIR=%{buildroot} mkdir -p %{buildroot}%{_sysconfdir}/usbguard mkdir -p %{buildroot}%{_sysconfdir}/usbguard/rules.d mkdir -p %{buildroot}%{_sysconfdir}/usbguard/IPCAccessControl.d -install -p -m 644 %{SOURCE2} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf +install -p -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/usbguard/usbguard-daemon.conf # selinux install -d %{buildroot}%{_datadir}/selinux/packages/%{selinuxtype} @@ -155,6 +187,12 @@ install -m 0644 %{name}-selinux-%{semodule_version}/%{name}.pp.bz2 %{buildroot}% install -d -p %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype} install -p -m 644 %{name}-selinux-%{semodule_version}/%{name}.if %{buildroot}%{_datadir}/selinux/devel/include/%{moduletype}/ipp-%{name}.if +# notifier +pushd %{name}-notifier-%{notifier_version} +make install INSTALL='install -p' DESTDIR=%{buildroot} +execstack -c %{buildroot}%{_bindir}/%{name}-notifier +popd + # Cleanup find %{buildroot} \( -name '*.la' -o -name '*.a' \) -exec rm -f {} ';' @@ -230,8 +268,32 @@ fi %posttrans selinux %selinux_relabel_post -s %{selinuxtype} +%files notifier +%defattr(-,root,root,-) +%doc %{name}-notifier-%{notifier_version}/README.md %{name}-notifier-%{notifier_version}/CHANGELOG.md +%license %{name}-notifier-%{notifier_version}/LICENSE +%{_bindir}/%{name}-notifier +%{_mandir}/man1/%{name}-notifier.1.gz +%{_userunitdir}/%{name}-notifier.service + +%post notifier +%systemd_user_post \--preset-mode=disable-only %{name}-notifier.service + +%preun notifier +%systemd_user_preun %{name}-notifier.service + +%postun notifier +%systemd_user_postun_with_restart %{name}-notifier.service + %changelog +* Fri Jun 07 2024 Attila Lakatos - 1.1.3-2 +- Rebase to 1.1.3 +- Update usbguard-selinux subpackage +- Include usbguard-notifier subpackage +Resolves: RHEL-37322 +- Disable logging to console + * Sat Jan 27 2024 Fedora Release Engineering - 1.1.2-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild